Cyber Attack On U.K. Electricity Market Confirmed: National Grid Investigates
The company that facilitates payments on the U.K. electricity market, tracking the trade between those who produce electricity and those who supply it and resolving the differences, has fallen victim to a cyber-attack. Elexon is at the center of the balancing and settlement system, working with Great Britain's National Grid Electricity System Operator (ESO) to keep the lights on. The lights didn't go off across the U.K. as a result of this cyber-attack, but internal IT systems and laptops at Elexon went dark.
A $2 billion energy market business
Overseeing the payments in the energy market that exists between U.K. power station operators and the companies that provide the electricity supply to consumers and businesses alike, Elexon plays a vital role in ensuring the lights really do stay on across the country. It does this by not only monitoring electricity generation and matching it to National Grid demand but ensuring that correct payments are made to those generating the juice. According to The Telegraph, which was first to break the news of this cyber-attack, that amounts to some $2.07 billion (£1.7 billion) of transactions every year. The combination of high-value transactions with being a core part of the energy supply market makes companies such as Elexon a prime target for cybercriminals and nation-state hackers alike.
Indeed, there has been a lot of global nervousness around energy market security recently, with President Trump declaring foreign cybersecurity threats to the U.S. electricity system a national emergency in an executive order signed May 1.
How details of the Elexon cyber-attack emerged
As for the nature of the cyber-attack against Elexon itself, we will have to wait for the ongoing investigations to be completed before getting a complete picture. However, pieces of that picture are already starting to emerge.
The public disclosure of the attack was tweeted by Elexon yesterday and stated that "we are currently unable to send or receive any emails," while confirming that "internal IT systems have been impacted by a cyber-attack."
Elexon also released a midday bulletin through its market portal yesterday which gave more information. Namely that "the attack is to our internal IT systems and ELEXON’s laptops only." This advised that the Balancing and Settlement Code (BSC) and Electricity Market Reform (EMR) payment systems were working normally. Later in the afternoon, Elexon updated that bulletin to confirm it had "identified the root cause" of the attack.
Meanwhile, the National Grid Electricity System Operator (ESO) tweeted that it was "investigating any potential impact on our own IT networks," but stated that "electricity supply is not affected," thanks to robust cybersecurity.
Was this a ransomware attack?
Jérôme Robert, a director at cybersecurity specialist Alsid, said, "as this Elexon attack shows, critical national infrastructure, such as power networks, has always been an attractive target for hackers. Although there is still much we don’t know about this specific hack, with most employees working remotely, security professionals are faced with unprecedented new threats caused by the behavior of staff and challenges around enabling remote access." Robert also said that we have to "hope this is not a ransomware event, although it would not be surprising given the current popularity of those types of attacks. If it is ransomware, Elexon could face a long and expensive road to recovery."
Jake Moore, a cybersecurity specialist at ESET, said that the attack has "all the hallmarks of ransomware," given what is known so far and that he imagines Elexon "are in a dilemma as to if or how to pay."
I have reached out to Elexon for further information about the incident and will update this article if any statement is forthcoming. One of the questions I asked was whether the company could confirm reports that an unpatched Pulse Secure VPN server might have helped facilitate the attack. Earlier this year, the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an alert informing users that failed to update the VPN could "become compromised in an attack."